Field of the Disclosure
This invention relates to the field of cybersecurity and, more particularly, to a system and method to provide authoritative user identity recognition based device association and proof of presence of the user at the device, and user affiliation based on static and association attributes of a recognized user. The invention also provides a method to break the “kill chain,” which causes a network compromise and/or a data breach, by enhancing the user login ceremony (authentication sequence) with identity recognition and affiliation as key trust metrics to prevent the exploit of compromised user credentials.
Description of the Related Art
Legacy authentication mechanisms relied solely on the use of a password to identify a user authoritatively with proof of possession of credentials as the single factor. This is referred to as the “what you know” factor. The likelihood of a password compromise being the root cause of an intrusion and data breach drove the industry to promote two-factor authentication based on the “what you have” factor as the quintessential second factor. The second factor could be a key fob with a one time code, a fingerprint, smart card, or other biometric techniques. The user must furnish proof of possession of two artifacts for multi-factor authentication. To strengthen passwords, “one-time” passcodes are used as a mechanism to introduce entropy.
However, a significant problem that remained was the proliferation of passwords as Internet enabled applications and services hosted in the cloud. Users face the challenge of creating strong passwords for every service or application they use, and the burden of making these passwords harder to guess or crack with automation. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart”) is used as a challenge-response to thwart automated password cracking attacks. The emerging cybersecurity threats, referred to as advanced persistent attacks, are highly coordinated and multi-stage attacks that leverage the user as the weakest link in the chain. User is the carbon, the exploit and staging surface for such high end attacks. Once a user's account is compromised, role based access controls are rendered ineffective. That shifts the onus of breach prevention on user behavior recognition. This is a challenge because a compromised user essentially delegates permissions and privileges to the attacker (human or malware) to perform legitimate actions and operations on behalf of the user, thereby rendering anomaly detection unreliable. Such compromised actions may vary from financial transactions, online payments, attacks on critical infrastructure, theft of intellectual property, takeover of Internet of Things (IoT) devices, to ransomware.
Other approaches, based on use of symmetric or asymmetric encryption technologies, rely on solutions that manage passwords in an identity vault for automated authentication, or rely on a first entity to authoritatively authenticate a user in one realm for use in another realm by another relying entity (single sign on). Such methods require implicit trust in the identity provider. The Security Token Service (STS) offers a protocol and schema (Security Assertion Markup Language—SAML) to achieve two party trust. Other approaches propose the use of more than two (multi-part) keys for encryption of credentials. However, the original problem persists as the user must still enter a username and password (combination pair) to login to the primary provider (single sign-on) and the risk is further exacerbated because now a compromised single credential provides the attackers access to a plurality of websites and applications without requiring explicit re-authentication.
The stricter password strength requirements imposed by online services have led to users unable to remember passwords, self-evident by the “Forgot Password” hyperlink and security questions to reset or recover passwords. The password centric authentication paradigm is outdated and needs retooling to the realities of modern cyber regime.
The major technology gap that remains is that none of the existing approaches provide conclusive “proof of identity recognition” that is the key driver for “use of affiliation” that enables dynamic and consensual attribution of the user, or a user device, and provides referential integrity to a service provider for the purpose of personalization and customization of services for the user or user device. Further, the risks posed by social engineering, an intrusion method by which hackers exploit the vulnerability and psychology of human interactions for cybercrime, are amplified by reliance on naïve user's awareness of modi operandi of professional hackers and/or shifting the onus of password protection to non-technical users in a utility model multi-tenant ecosystem.
Passwords are the weakest link in the cyber kill chain. Compromise of a single password may cause an intrusion and subsequent data breach. Theft of passwords in a data breach may cause harm to several users. Breach of user's password may lead to identity fraud. Accordingly, there is a need to protect passwords for responsible digital citizenship, preempt data breaches caused by compromise of an employee or contractor password, or stolen devices, and preempting cyber-attacks on ubiquitous IoT devices through malicious access.